5 Jan
2018
5 Jan
'18
6:36 p.m.
Greetings,
I was working with Dan Cooper last spring to turn my pfSense box into an
ampr gateway. At the time I was trying to learn how IPIP worked AND how
BSD (pfSense) worked. I'm pretty well versed in linux... BSD... not so
much.
At the time I moved to Linux and Lynwood helped me get my head around
how the IPIP tunneling works. After seeing the volume of traffic that
tries to crack into my residential ISP connection (even though it fails)
I've decided to put my ampr gateway into a DMZ. I'm currently in the
process of moving my AMPR gateway into a pfSense DMZ.
I work in a loosely security related position at work and I'm doing this
as a security measure to knock down some of the noise my Linux
gateway/Router/Firewall/AMPRgateway was seeing, mostly from Russia,
China and other places that I didn't research. My new AMPR gateway will
still be on Linux, actually Raspbian on a Raspberry Pi, but the only
traffic it'll ever see is encapsulated traffic and traffic from my
network because all of the other noise will be filtered by the pfSense
box and won't exist in my DMZ.
Out of the box the pfSense user interface doesn't have support for
ipencap or AX25. I did a little bit of research (google) and found an
older post on the pfsense forum about which files to edit to add ipencap
and ax25 to the UI. Also, I just asked on the pfSense subreddit to see
if there are any other places within the pfSense UI to edit which
protocols are available for use.
Is anyone else using this method to NAT forward IPIP traffic to an
internal gateway (in my case using pfSense). I'm looking to find out if
I've missed anything with the port forwarding before I move forward. I
know Brian (N1URO) was working with IPIP tunneling behind a NAT and I
think (THINK) this might work.
So... here's what I've done.
pfSense version is 2.4.2p1. File edits follow...
In file:
/usr/local/www/firewall_nat_edit.php
On line 708, change:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF";
To:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF IPENCAP
AX25";
In file:
/usr/local/www/firewall_nat_out_edit.php
On line 510, change:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync";
To:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync
IPENCAP AX25";
In file:
/usr/local/www/firewall_rules_edit.php
Insert as line 1315 and 1316:
'ipencap' => 'IPENCAP',
'ax25' => 'AX25',
--
Tom / n2xu / MSgt USAF (Ret) / BSCS, CASP
7 Jan
7 Jan
10:38 a.m.
In my career, i have built several vpn's through a firewall and nat'ing the
public IP to a private IP address. However, I have only done this on Cisco
equipment, that is mainly what i work on all the time. It would be a
static IP nat if you have a second public IP address. If you do not, you
will have to do a static port nat sharing your outside public IP address
that you get from your provider. Which it sounds like you are on the right
track. Pfsense should be able to do that, but it has been quite sometime
sense i have messed with Pfsense. Putting it in the DMZ is very wise.
Also, a lot of firewalls have a geolocation block function. It appears
PFsense has this as well if you add in the PfBlocker package. In several
scenario's, a lot of people don't need to communicate with specific
countries, therefore, what i have done over the years is block to and from
traffic to certain countries, like in your instance Russia. You could do
it by public IP blocks, but the administrative overhead with doing this is
a nightmare. So, geolocation block, you just select the country and the
firewall does the rest, just for another added layer of protection.
Take care, Tony
On Fri, Jan 5, 2018 at 6:36 PM, Tom Cardinal <ki4szj(a)gmail.com> wrote:
Greetings,
I was working with Dan Cooper last spring to turn my pfSense box into an
ampr gateway. At the time I was trying to learn how IPIP worked AND how BSD
(pfSense) worked. I'm pretty well versed in linux... BSD... not so much.
At the time I moved to Linux and Lynwood helped me get my head around how
the IPIP tunneling works. After seeing the volume of traffic that tries to
crack into my residential ISP connection (even though it fails) I've
decided to put my ampr gateway into a DMZ. I'm currently in the process of
moving my AMPR gateway into a pfSense DMZ.
I work in a loosely security related position at work and I'm doing this
as a security measure to knock down some of the noise my Linux
gateway/Router/Firewall/AMPRgateway was seeing, mostly from Russia, China
and other places that I didn't research. My new AMPR gateway will still be
on Linux, actually Raspbian on a Raspberry Pi, but the only traffic it'll
ever see is encapsulated traffic and traffic from my network because all of
the other noise will be filtered by the pfSense box and won't exist in my
DMZ.
Out of the box the pfSense user interface doesn't have support for
ipencap or AX25. I did a little bit of research (google) and found an
older post on the pfsense forum about which files to edit to add ipencap
and ax25 to the UI. Also, I just asked on the pfSense subreddit to see if
there are any other places within the pfSense UI to edit which protocols
are available for use.
Is anyone else using this method to NAT forward IPIP traffic to an
internal gateway (in my case using pfSense). I'm looking to find out if
I've missed anything with the port forwarding before I move forward. I know
Brian (N1URO) was working with IPIP tunneling behind a NAT and I think
(THINK) this might work.
So... here's what I've done.
pfSense version is 2.4.2p1. File edits follow...
In file:
/usr/local/www/firewall_nat_edit.php
On line 708, change:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF";
To:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF IPENCAP
AX25";
In file:
/usr/local/www/firewall_nat_out_edit.php
On line 510, change:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync";
To:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync
IPENCAP AX25";
In file:
/usr/local/www/firewall_rules_edit.php
Insert as line 1315 and 1316:
'ipencap' => 'IPENCAP',
'ax25' => 'AX25',
--
Tom / n2xu / MSgt USAF (Ret) / BSCS, CASP
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
10:51 a.m.
Just a small word to the wise as I work with pfsense and pfblockerng on almost a daily
basis: the geolocation in pfblockerng (which uses the maxmind databases) is not 100%
up2date.
Be very careful with it as you might block other unwanted countries/traffic :)
Just my $0.02
Ruben - ON3RVH
> On 7 Jan 2018, at 16:40, Tony Ellis <tonyellis3.te(a)gmail.com> wrote:
>
> In my career, i have built several vpn's through a firewall and nat'ing the
> public IP to a private IP address. However, I have only done this on Cisco
> equipment, that is mainly what i work on all the time. It would be a
> static IP nat if you have a second public IP address. If you do not, you
> will have to do a static port nat sharing your outside public IP address
> that you get from your provider. Which it sounds like you are on the right
> track. Pfsense should be able to do that, but it has been quite sometime
> sense i have messed with Pfsense. Putting it in the DMZ is very wise.
>
> Also, a lot of firewalls have a geolocation block function. It appears
> PFsense has this as well if you add in the PfBlocker package. In several
> scenario's, a lot of people don't need to communicate with specific
> countries, therefore, what i have done over the years is block to and from
> traffic to certain countries, like in your instance Russia. You could do
> it by public IP blocks, but the administrative overhead with doing this is
> a nightmare. So, geolocation block, you just select the country and the
> firewall does the rest, just for another added layer of protection.
>
> Take care, Tony
>
>> On Fri, Jan 5, 2018 at 6:36 PM, Tom Cardinal <ki4szj(a)gmail.com> wrote:
>>
>> Greetings,
>> I was working with Dan Cooper last spring to turn my pfSense box into an
>> ampr gateway. At the time I was trying to learn how IPIP worked AND how BSD
>> (pfSense) worked. I'm pretty well versed in linux... BSD... not so much.
>>
>> At the time I moved to Linux and Lynwood helped me get my head around how
>> the IPIP tunneling works. After seeing the volume of traffic that tries to
>> crack into my residential ISP connection (even though it fails) I've
>> decided to put my ampr gateway into a DMZ. I'm currently in the process of
>> moving my AMPR gateway into a pfSense DMZ.
>>
>> I work in a loosely security related position at work and I'm doing this
>> as a security measure to knock down some of the noise my Linux
>> gateway/Router/Firewall/AMPRgateway was seeing, mostly from Russia, China
>> and other places that I didn't research. My new AMPR gateway will still be
>> on Linux, actually Raspbian on a Raspberry Pi, but the only traffic it'll
>> ever see is encapsulated traffic and traffic from my network because all of
>> the other noise will be filtered by the pfSense box and won't exist in my
>> DMZ.
>>
>> Out of the box the pfSense user interface doesn't have support for
>> ipencap or AX25. I did a little bit of research (google) and found an
>> older post on the pfsense forum about which files to edit to add ipencap
>> and ax25 to the UI. Also, I just asked on the pfSense subreddit to see if
>> there are any other places within the pfSense UI to edit which protocols
>> are available for use.
>>
>> Is anyone else using this method to NAT forward IPIP traffic to an
>> internal gateway (in my case using pfSense). I'm looking to find out if
>> I've missed anything with the port forwarding before I move forward. I know
>> Brian (N1URO) was working with IPIP tunneling behind a NAT and I think
>> (THINK) this might work.
>>
>> So... here's what I've done.
>>
>> pfSense version is 2.4.2p1. File edits follow...
>>
>> In file:
>> /usr/local/www/firewall_nat_edit.php
>>
>> On line 708, change:
>> $protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF";
>>
>> To:
>> $protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF IPENCAP
>> AX25";
>>
>> In file:
>> /usr/local/www/firewall_nat_out_edit.php
>>
>> On line 510, change:
>> $protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp
pfsync";
>>
>> To:
>> $protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync
>> IPENCAP AX25";
>>
>> In file:
>> /usr/local/www/firewall_rules_edit.php
>>
>> Insert as line 1315 and 1316:
>> 'ipencap' => 'IPENCAP',
>> 'ax25' => 'AX25',
>>
>> --
>> Tom / n2xu / MSgt USAF (Ret) / BSCS, CASP
>> _________________________________________
>> 44Net mailing list
>> 44Net(a)mailman.ampr.org
>> https://mailman.ampr.org/mailman/listinfo/44net
>>
>
10:55 a.m.
Keep in mind that the tunnel system of 44net is a mesh, not a star.
There is no default route that will get you routing to the various
disjoint subnets which make up the network.
That means that in order to participate fully in the mesh, you need
(at this moment) 648 routes via 460 distinct endpoints. Linux has
a clever way of doing this with a secondary routing table. FreeBSD,
Cisco, Mikrotik, etc. using conventional tunnel routing mechanisms
need to have 460 separate tunnel devices configured, with 648 subnets
routed to them. In addition, Linux can run a daemon to utilize the
RIP44 transmissions from amprgw to keep that table up to date instead
of having to fetch and process the flat file 'encap' table periodically.
It's probably better to configure some small appliance-grade processor
(such as a Raspberry Pi) with some variety of Linux to take advantage
of its secondary routing table mechanism rather than try to kludge
it in to some other kind of router.
- Brian
7:24 p.m.
I got forwarding of ipip to my Ras-Pi. I'm doing exactly what you're saying
here Brian, separating my gateway and my router. I already see traffic on
the DMZ interface on the RasPi so I need to apply what I learned last year
and get my scripting going.
--tom
Quoted text below
It's probably better to configure some small appliance-grade processor
(such as a Raspberry Pi) with some variety of Linux to take advantage
of its secondary routing table mechanism rather than try to kludge
it in to some other kind of router
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
--
73 de N2XU/Tom Cardinal/MSgt USAF (Ret)/BSCS/Security+/IPv6 Certified
2509
days inactive
2512
days old
4 comments
5 participants
participants (5)
-
Brian Kantor -
Ruben ON3RVH -
Tom C -
Tom Cardinal
-
Tony Ellis